Critic of Healthcare.gov Security Now Says All Is A-OK

WASHINGTON – A government cybersecurity expert who initially criticized what she considered to be inadequate protections on the Obamacare website is now giving the system a clean bill of health.

Teresa Fryer, the chief information security officer for the Centers for Medicare & Medicaid Services, the agency charged with overseeing the site, told the House Oversight & Government Reform Committee on Thursday that recent tests revealed healthcare.gov has not bowed to any cyber assaults and that all appears safe.

“The protections that we have put in place have successfully prevented attacks,” Fryer said. “While no serious security professional will ever guarantee that any system is hack-proof, I am confident, based on the recent security controls assessment and additional security protections, that it is secure.”

“The testing was successfully completed,” she said. “It had good results.”

Fryer, in a memo written in September before the official October launch of healthcare.gov, asserted that the site failed to meet security standards and expressed doubt that the personal information entered by consumers in 36 states hoping to gain the information necessary to purchase health insurance would be properly protected.

She furthermore expressed doubt that the site, created as a marketplace for those looking to fulfill the requirements of the Affordable Care Act, was ready for public use.

That last fear proved prophetic – the tip-off of healthcare.gov proved disastrous, with consumers frequently unable to call up the site and take advantage of its services. Most of those shortcomings have been addressed and now Fryer is offering assurances that it is secure.

Fryer told the panel that security testing is ongoing and that thus far “the protections we have put in place have successfully prevented attacks.” Given that experience, she said she would recommend that the site be granted the authority to operate once the current authorization expires in March. Last September she recommended that the ATO – which was required to launch healthcare.gov — not be signed, advice that wasn’t heeded by officials in the Department of Health and Human Services.

Regardless, committee Republicans, led by Rep. Darrell Issa (R-Calif.), the panel’s chairman, expressed doubt over the website’s security and raised questions regarding why it was allowed to launch in the first place when there was an issue about its vital protections.

Issa insisted that healthcare.gov remains “questionable in its security” and characterized potential vulnerabilities as “very serious” since the database contains reams of personal data.

David "hacker extraordinaire" Kennedy also testified yesterday that security on healthcare.gov is even worse than at the initial Oct. 1 rollout, given that each and every haphazard, catch as catch can "patch" results in new vulnerabilities.